[WIP][DO NOT MERGE][AKS] Support service account image pull feature

[norshtein]

---

This checklist is used to make sure that common guidelines for a pull request are followed.

Related command

az aks create and az aks update

General Guidelines

• Have you run azdev style <YOUR_EXT> locally? (pip install azdev required)
• Have you run python scripts/ci/test_index.py -q locally? (pip install wheel==0.30.0 required)
• My extension version conforms to the Extension version schema

For new extensions:

• My extension description/summary conforms to the Extension Summary Guidelines.

About Extension Publish

There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Hi @norshtein,
Please write the description of changes which can be perceived by customers into HISTORY.rst.
If you want to release a new extension version, please update the version in setup.py as well.

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[github-actions]

CodeGen Tools Feedback Collection

Thank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey

[github-actions]

Hi @norshtein

Release Suggestions

Module: aks-preview

• Update VERSION to 19.0.0b25 in src/aks-preview/setup.py

Notes

• For more info about extension versioning, please refer to Extension version schema

[Copilot]

Pull request overview

This PR adds support for a new AKS service account image pull feature, allowing clusters to authenticate to Azure Container Registry using service account scoped managed identities instead of the node-scoped kubelet identity. It adds three new CLI parameters: --enable-service-account-image-pull, --disable-service-account-image-pull (update only), and --service-account-image-pull-default-managed-identity-id.

Changes:

• New context getter methods and create/update decorator methods for the ServiceAccountImagePullProfile security sub-profile
• New CLI parameter registrations (_params.py), function signatures (custom.py), and help text (_help.py)
• Unit tests for the new context getters and decorator methods, plus integration test stubs for live testing

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
managed_cluster_decorator.py	Core logic: context getters (get_enable/disable_service_account_image_pull, get_service_account_image_pull_default_managed_identity_id), and decorator methods (set_up_service_account_image_pull for CREATE, update_service_account_image_pull for UPDATE)
custom.py	Added three new parameters to aks_create and aks_update function signatures
_params.py	Registered the new CLI parameters for both create and update contexts as is_preview=True
_help.py	Added help text for the new parameters in both aks create and aks update command groups
test_managed_cluster_decorator.py	Unit tests for the new getter methods and decorator methods; also restructured existing test_get_image_cleaner_interval_hours into a separate _extended method
test_aks_commands.py	Added integration test stubs for create and update scenarios (missing recording files)
HISTORY.rst	Added entry under Pending section documenting the new parameters

Comments suppressed due to low confidence (1)

src/aks-preview/azext_aks_preview/tests/latest/test_managed_cluster_decorator.py:1857

• The new test_get_image_cleaner_interval_hours_extended method starts with a variable named ctx_2, skipping ctx_1. This is confusing because the method is a new standalone test, not a continuation - it should start from ctx_1. More significantly, the variable ctx_2 is reused twice in this same method (lines 1833 and 1846) for two different test scenarios, which is also inconsistent with the pattern used in the rest of the test file where each test context is given a unique number.

    def test_get_image_cleaner_interval_hours_extended(self):
        ctx_2 = AKSPreviewManagedClusterContext(
            self.cmd,
            AKSManagedClusterParamDict(
                {
                    "enable_image_cleaner": True,
                    "image_cleaner_interval_hours": 24,
                }
            ),
            self.models,
            decorator_mode=DecoratorMode.CREATE,
        )
        self.assertEqual(ctx_2.get_image_cleaner_interval_hours(), 24)

        ctx_2 = AKSPreviewManagedClusterContext(
            self.cmd,
            AKSManagedClusterParamDict(
                {
                    "image_cleaner_interval_hours": 24,
                }
            ),
            self.models,
            decorator_mode=DecoratorMode.CREATE,
        )
        with self.assertRaises(RequiredArgumentMissingError):
            ctx_2.get_image_cleaner_interval_hours()

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

In update_service_account_image_pull, when only service_account_image_pull_default_managed_identity_id is provided without either enable_service_account_image_pull or disable_service_account_image_pull, and the cluster has no existing service_account_image_pull_profile, the code creates a new profile with enabled=None (line 6302) and sets the identity ID. Sending a profile where enabled is not set to the API is likely unintended behavior and could result in an API error or an inconsistent state. The code should either raise a RequiredArgumentMissingError in this case, or only allow updating the identity ID when the feature is already enabled (by checking the existing profile's state from the mc object).

[Copilot]

In set_up_service_account_image_pull (CREATE path), when a user provides --service-account-image-pull-default-managed-identity-id without --enable-service-account-image-pull, the identity ID is silently ignored because the code only enters the configuration block when get_enable_service_account_image_pull() is truthy. This could be confusing to users. Consider adding a warning or raising a RequiredArgumentMissingError similar to how other paired parameters in this codebase handle mismatched usage (e.g., get_image_cleaner_interval_hours raises RequiredArgumentMissingError when image_cleaner_interval_hours is provided without enable_image_cleaner).

[Copilot]

The test test_set_up_service_account_image_pull (CREATE path) does not cover the scenario where service_account_image_pull_default_managed_identity_id is provided without enable_service_account_image_pull. In this case, the identity is silently ignored (the function returns early at line 4104 when get_enable_service_account_image_pull() is falsy). Adding a test case for this scenario would help document and verify the actual behavior.

[Copilot]

The new integration tests test_aks_create_with_service_account_image_pull and test_aks_update_with_service_account_image_pull do not have corresponding recording files in the recordings/ directory. Without YAML recording files, these tests cannot run in replay mode (CI). Recording files need to be created by running the tests in live mode against a real Azure subscription before this PR can pass CI.

[qweeah]

Disable flag and managed identity flag should also be mutually exclusive.

[qweeah]

Do we want to validate the format of the resource id to fail fast if user provided like a client ID?